paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

saml: Don't allow listing zulip_groups in extra_attrs in IdP config.

Browse Source 
zulip_groups is a special attribute, for the group sync feature, and
will always be read from the SAMLResponse if it's present and group sync
is enabled.
Listing it in extra_attrs is a misconfiguration that results in
confusing behavior. See #35787.
This commit is contained in:
Mateusz Mandera
2025-08-21 01:18:29 +08:00
committed by Tim Abbott
parent a0c198ad99
commit 7d40fcfd7e
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zproject/computed_settings.py
View File

@@ -1207,6 +1207,9 @@ for idp_name, idp_dict in SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
path = f"/etc/zulip/saml/idps/{idp_name}.crt" path = f"/etc/zulip/saml/idps/{idp_name}.crt"
idp_dict["x509cert"] = get_from_file_if_exists(path) idp_dict["x509cert"] = get_from_file_if_exists(path)
if "zulip_groups" in idp_dict.get("extra_attrs", []):
raise AssertionError("zulip_groups can't be listed in extra_attrs in the IdP config.")
def ensure_dict_path(d: dict[str, Any], keys: list[str]) -> None: def ensure_dict_path(d: dict[str, Any], keys: list[str]) -> None:
for key in keys: for key in keys: